Security

Security Groups and Network ACLs

Security Groups

Instance-level firewall that controls inbound and outbound traffic.

Stateful - return traffic automatically allowed
Allow rules only (no deny rules)
Applied to ENI/instance level

Network ACLs

Subnet-level firewall that provides additional layer of security.

Stateless - must configure both directions
Allow and deny rules
Applied to subnet level

Security Exam Tips

  • • Security Groups are stateful, NACLs are stateless
  • • Security Groups have allow rules only, NACLs have allow and deny
  • • Security Groups apply to instances, NACLs apply to subnets
  • • Default NACL allows all traffic, custom NACL denies all by default
Previous: Gateways Next: Route Tables